Jaipur oil depot fire - Sharing of Incident Report

Kudos to the Oil Industry Safety Directorate for posting the independent investigation committee report on the Jaipur oil depot fire. (Click MB Lall report in their website).As far as I know this is a first in India for sharing incident reports and this is a very positive change for process safety in India.
On reading the report, the following points come out:(I am quoting from the report)
1."Uncontrolled Loss of Primary Containment in the form of a jet of gasoline:Policy issues - Safety not given adequate priority".
2."It was observed that safety shut down system envisaging closure of all Motor Operated Valves (MOV) at the inlet and outlet, immediate to the tanks was provided in design and installation but had been decommissioned, a few years ago, probably after 2003, due to some operational issues. The exact timing of the above is not known to the current operating officers".
3."No External Safety Audit for last 6 years.Internal Safety Audit inadequate as it could not point out any deficiency in design or procedures & practices".
4. "The certifications such as ISO, NSC awards, Greentech awards, Ministry of Labour awards etc., are all based on documentation submitted by the organizations and not on field verifications and safety practices. The awards/recognitions mesmerize the higher management besides giving wrong signals about safety management systems leading to complacencies. It is, therefore, recommended that time and efforts be directed towards annual safety audits by involving non-company experts so as to have unbiased reports. The companies should be cautioned to be circumspect about utilizing agencies and organizations who claim to be providing expert safety advice and assessment"
I THINK THE ABOVE STATEMENTS CLEARLY INDICATE WHERE THE PROBLEMS ARE!
Update 3.7.10:
A reader called Atul has sent me this query"But how can this be a case of individual fault ? My Brother in law was attending his fathers funeral at the time of accident and could do nothing about it.
In depot fires across the globe, its the Corporation which are at fault and fined. People are given compensation. In India, the employees are put into Jail! Is this a JUSTICE system which you are proud of?"
I request Atul to read my latest post on the subject in this link

Process Safety and Asset Integrity

Maintaining asset integrity is one of the key areas of process safety. As I observe more and more competition in the Indian Chemical Industry,I am beginning to observe a lack of long term focus towards maintaining asset integrity. With current high attrition rates in the chemical industry, it is only natural that a plant manager tends to "adjust" his focus on maintaining asset integrity to ensure that nothing happens during his tenure.This is also mentioned in the investigation report of the BP Texas refinery incident.Many organizations are implementing process safety management systems without a long term approach. Such systems will bring in more complacency than doing good.Another worrying factor is the lack of competency to manage asset integrity programs. I have observed many "in house" asset integrity teams influenced by their organizational culture in such a way that they get blinded to reality.Top management feels everything is hunky dory when suddenly something fails and everybody wakes up!The UK HSE chair has said "Never allow short-term business pressures to blind you to the real and potentially devastating human and business consequences of neglecting process safety and asset integrity"
I will end with a joke - I was chairing a HAZOP study for a Bio Ethanol Plant coming up in South Africa when one of the participants jokingly asked me "Does'nt all your negative thinking affect you?". Well, Process Safety is not about negativity, but about worrying about things that are so obvious to you but not obvious to others!

"Non observance of safety norms caused Jaipur oil depot fire"- investigation report

The investigation committee into the Jaipur oil depot fire has pointed out the lack of written operating procedures, absence of leak stopping devices and lack of understanding of hazards and risks as root causes of the incident. See this report for further details.
The committee also has recommended improving operating discipline. This requires a lot of commitment from top management. Operating discipline is easy to bypass in times of cost pressures. I have observed many times that incidents are caused when operating discipline is set aside even though management knows that it is being bypassed. Process Safety Audit reports should be given due weightage by management. The observations pointed out in the audit report are indicators that something is wrong and unless they are attended and root causes are found out, a big incident could occur. How many times can we be lucky?
See other opinions in this link

Hazards of natural gas - explosion in an US Power plant

On 7th February, an explosion was reported in a US power plant. The mayor of that place put it very nicely when he said "Something happened that should not have happened and something did not happen which should have happened".
The explosion involved natural gas. Many facilities use natural gas for power generation, heating and in furnaces. Natural gas is also a raw material for the manufacture of ammonia. Natural gas is like electricity - a bad master but a good servant. For it to be a good servant, your operators must know the hazards of inadequate purging (removal of oxygen from pipelines/vessels) before admitting natural gas.In fact the US Chemical safety Boards had just three days before the incident issued a warning about the hazards involved in natural gas purging - see this safety bulletin
See this link for a video posted on youtube about the incident.
My book details the various methods of purging of equipment and pipelines.

Separate your shutdown system from control systems

Today,for cutting costs,many plant owners are trying to incorporate shutdown actions using the control system itself. For example, if there is a control valve that has to close when a predetermined shutdown point is reached, the instrument air to this valve is cut off using a solenoid valve and the valve is designed to "fail close".You must always keep your shutdown system independent from the control system. This is important from an emergency safe shutdown point of view. There is an interesting case study presented in this link where the shutdown system was designed to be independent from the control system. The control system valve did not close during an emergency due to a failure of a solenoid valve but the separate shutdown system acted safely.
I have investigated many process incidents where the shutdown system was connected through the control system and it failed to operate. In fact in one of the Ammonia plants in Europe a friend told me that every critical shutdown valve is provided with redundant solenoids for greater reliability. Have a relook at all your critical shutdown systems. Its better to be safe than to be sorry!

Reacting in an emergency - Lessons from the Hudson River Landing

On 15th January, 2009, an airbus flight suffered bird hits on both engines after take off. The pilots had to react quickly and they landed the plane safely on the Hudson river thus saving lives. Split second decisions had to be taken and they took the right decisions. A beautiful simulation of the incident is given in this youtube link.
In a chemical plant emergency, all the years of training and experience will come into play. A wrong decision taken during the emergency could lead to an unsafe condition. Of course, if you have your shutdown systems working well, they will automatically shutdown the plant safely. But there are many other things the DCS operator has to do after a shutdown. This is where his training comes in. How are you training your plant operators to handle emergencies? Is experience from actual emergencies shared and lessons learnt? In India, many of us do not take mock drills seriously. Your lives may depend on it!
Plant operators and shift engineers are the first line of defense against a catastrophe and are you investing in their training?

Runaway Reactions - Run away if you do not have data!

A runaway reaction is an uncontrolled reaction that does not stop. It can cause catastrophic consequences like rupture of reactors and release of toxic gases. The understanding of reactive chemistry plays a big role in avoiding runaway reactions. Avoid the mistake of scaling up from R & D to plant production without understanding all the details of the reactions and its side reactions. The effect of change in operating parameters and batch recipe or quantity must also be understood. Recently a speaker at a seminar mentioned that many batch processes in India are being operated without complete knowledge of the reaction chemistry. I have also investigated number of incidents involving runaway reactions where operators were operating the batch without proper information on reaction kinetics.There are various scientific tools available to determine these data. Accelerating rate calorimeters, differential scanning calorimetry etc are some of them. Just because you have not experienced a runaway reaction incident, do not be complacent. The only hope of survival in a runaway reaction incident is to run away!
Watch this excellent CSB safety video on the hazards of reactions.

Don't Alarm your operator!

I have been following the subject of alarm management in a DCS (Distributed control system) with great interest. In many process incidents that I investigate (batch and continuous processes), I observe that the flood of alarms that appeared during the emergency effectively negates the usefulness of the alarm. The irony is that we bring in the DCS with its enormous capability and then realize that alarm management in the DCS is a big issue. The root cause of the problem is the misuse of the enormous capability of the DCS. When installing the DCS it is human tendency to assign all probable alarms, thinking that we are using the capability of the DCS! Now the International Society of Automation has brought out a standard called ISA 18.2 - management of alarms in process industries on June 23rd,2009. The definition of alarm as stated in the standard is "an audible and/or visible means of indicating to the operator and equipment malfunction,process deviation or abnormal condition requiring a response". How did we manage to forget this definition?

I was part of a team of process engineers and process operators in a World Scale methanol plant, where we sat down identifying whether each alarm that was provided was really necessary or not. To our surprise, at the end of the exercise, we had reduced the alarms by over 50%!. Today, there are alarm suppression software sold by various vendors, but I feel the solution is simple - DO NOT COMPLICATE THINGS AT THE BEGINNING ITSELF BY PROVIDING TOO MANY ALARMS!
To achieve the goal process Safety I am of the opinion that things must be kept simple. In other words, KEEP IT SIMPLE & SAFE (KISS!)

While on the topic of alarm management, I have also observed the other extreme in few cases - there weren't enough alarms provided. Such issues crop up not in process plants but in storage and transfer facilities where enough thought was not applied in identifying the alarms required.

Cars can be recalled but Chemical Plants cannot!

The papers are full of news stories about the car recalls for certain models by Toyota and Honda due to design glitches. In one incident, it was reported that a boy was killed when a fire occurred due to water entering a power window motor. In chemical plants, do we have the luxury of recalls? A design mistake may show up in a devastating way, killing many people. In todays plants, modifications are carried out for capacity increase, energy saving etc. But how sure are you that these modifications do not have design glitches? Cutting costs at the design stage has serious repercussions for process safety. Investment in good design costs money, but cutting costs in design may cost lives. Cars can be recalled but plants cannot. Does your organization have the capability for designing changes or modifications? Are you keeping yourself abreast about the latest design codes and standards? Think about it!

Avoid making your operators into procedural robots

I was reading an incident report of a ammonia pipeline rupture in the USA. The pipeline ruptured and released a large amount of ammonia. The case study report available in NTSB website indicates that even though the operator was receiving a large amount of alarms indicating a pipeline rupture, he attributed the drop in line pressure to less supply and more delivery. This skewed his troubleshooting abilities. How many of you are ensuring that your plant operators are trained to analyze data from DCS and troubleshoot the problem? There is no better defense than a trained and informed operator and your plant training programs should ensure this. During an emergency an operator cannot refer to procedures and all his training and knowledge will come to the forefront in troubleshooting the problem correctly.

The dangers of decommissioned equipment

Today's Times of India carries a news article mentioning that 7 workers were injured in a boiler blast when they were removing an abandoned boiler from the premises of an Industrial Explosive factory. It is reported that chemical residues on the floor caught fire and exploded when the workers were attempting to cut the pedestal of the boiler using hot work. How many of your plants, especially old ones, have decommissioned equipment that are not yet removed from service, while the rest of the plant is in operation? Decommissioned equipment that are left in situ pose dangers if they are not properly isolated by blinds. The best option is to remove the decommissioned equipment safely. Many incidents have also been reported in dead legs (piping that have stagnant liquid in them that corrode and leak after some time) after decommissioned equipment have been removed. These dead legs must be removed at the next available opportunity.
Study your complete plant to identify decommissioned equipment and develop a plan to safely remove them from service.

1 out of 1 or 2 out of 3?

Today many organisations are going in for two out of three redundant logic systems for trips. I often wonder how I managed to operate an ammonia plant 25 years ago, fitted with standalone pneumatic instrumentation and no DCS! With modern day electronics, isn't it expected that the reliability of an electronic transmitter will be better? Do not go in for two out of three transmitters just because it is more "reliable". Have you obtained data on mean time between failures of electronic transmitters? When you do a LOPA analysis do not go overboard. The risk criteria used in LOPA should reflect your organizations past incidents also. I have seen many overkills of LOPA studies done by consultants who just recommend two out of three systems at the drop of a hat!